Vulnerabilities > Westerndigital

DATE CVE VULNERABILITY TITLE RISK
2023-05-18 CVE-2022-36326 Resource Exhaustion vulnerability in Westerndigital products
An uncontrolled resource consumption vulnerability issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices.
network
low complexity
westerndigital CWE-400
4.9
2023-05-18 CVE-2022-36327 Path Traversal vulnerability in Westerndigital products
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could allow an attacker to write files to locations with certain critical filesystem types leading to remote code execution was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices.
network
low complexity
westerndigital CWE-22
critical
9.8
2023-05-18 CVE-2022-36328 Path Traversal vulnerability in Westerndigital products
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices.
network
low complexity
westerndigital CWE-22
4.9
2023-05-10 CVE-2022-29840 Server-Side Request Forgery (SSRF) vulnerability in Westerndigital MY Cloud OS
Server-Side Request Forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL to point back to the loopback adapter was addressed in Western Digital My Cloud OS 5 devices.
local
low complexity
westerndigital CWE-918
5.5
2023-05-10 CVE-2022-29841 OS Command Injection vulnerability in Westerndigital MY Cloud OS
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that was caused by a command that read files from a privileged location and created a system command without sanitizing the read data.
network
low complexity
westerndigital CWE-78
critical
9.8
2023-05-10 CVE-2022-29842 Command Injection vulnerability in Westerndigital MY Cloud OS
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability that could allow an attacker to execute code in the context of the root user on a vulnerable CGI file was discovered in Western Digital My Cloud OS 5 devicesThis issue affects My Cloud OS 5: before 5.26.119.
network
low complexity
westerndigital CWE-77
critical
9.8
2023-05-10 CVE-2022-36329 Unspecified vulnerability in Westerndigital products
An improper privilege management issue that could allow an attacker to cause a denial of service over the OTA mechanism was discovered in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi devices.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191.
network
low complexity
westerndigital
7.5
2023-05-10 CVE-2022-36330 Classic Buffer Overflow vulnerability in Westerndigital products
A buffer overflow vulnerability was discovered on firmware version validation that could lead to an unauthenticated remote code execution in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi devices.
network
high complexity
westerndigital CWE-120
8.1
2023-05-08 CVE-2023-22813 Missing Authorization vulnerability in Westerndigital products
A device API endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App.
network
low complexity
westerndigital CWE-862
4.3
2023-02-06 CVE-2021-36224 Use of Hard-coded Credentials vulnerability in Westerndigital MY Cloud OS
Western Digital My Cloud devices before OS5 have a nobody account with a blank password.
network
low complexity
westerndigital CWE-798
critical
9.8